Download Secure Multi-party Quantum Computation

Secure Multi-party Quantum Computation
Claude Crépeau
∗
Daniel Gottesman
Adam Smith
‡
McGill University
UC Berkeley
MIT
[email protected]
[email protected]
[email protected]
ABSTRACT
Secure multi-party computing, also called secure function evaluation, has been extensively studied in classical cryptography. We consider the extension of this task
to computation with quantum inputs and circuits. Our
protocols are information-theoretically secure, i.e. no
assumptions are made on the computational power of
the adversary. For the weaker task of verifiable quantum secret sharing, we give a protocol which tolerates
any t < n/4 cheating parties (out of n). This is shown
to be optimal. We use this new tool to show how to
perform any multi-party quantum computation as long
as the number of dishonest players is less than n/6.
Keywords
Quantum cryptography, multi-party protocols, secure
function evaluation, distributed computing
1.
†
INTRODUCTION
Secure distributed protocols have been an important
and fruitful area of research for modern cryptography.
In this setting, there is a group of participants who wish
to perform some joint task, despite the fact that some
of the participants in the protocol may cheat in order to
obtain additional information or corrupt the outcome.
We investigate a quantum version of an extensively
studied classical problem, secure multi-party computation (or secure function evaluation), first introduced by
[13]. A multi-party quantum computing (mpqc) proto∗Supported by Québec’s FCAR and Canada’s NSERC.
†Supported by the Clay Mathematics Institute.
‡Supported by the US DoD MURI program administered by the Army Research Office under grant
DAAD19-00-1-0177.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
STOC’02, May 19-21, 2002, Montreal, Quebec, Canada.
Copyright 2002 ACM 1-58113-495-9/02/0005 ...$5.00.
col allows n participants P1 , P2 , . . . , Pn to compute an
n-input quantum circuit in such a way that each party
Pi is responsible for providing one of the input states.
The output of the circuit is broken into n components
H1 ⊗ . . . ⊗ Hn , and Pi receives the output Hi . Note
that the inputs to this protocol are arbitrary quantum
states—the player providing an input need only have it
in his possession; he does not need to know a classical
description of it. Moreover, unlike in the classical case,
we cannot assume without loss of generality that the result of the computation will be broadcast. Instead, each
player in the protocol receives some part of the output.
Informally, we require two security conditions:
- Soundness and Completeness: no coalition of t or
fewer cheaters should be able to affect the outcome of
the protocol beyond their ability to choose their inputs.
- Privacy: no coalition of t or fewer cheaters should
learn anything beyond what they can deduce from their
initial knowledge of their input and from their part of
the output.
Verifiable Quantum Secret Sharing. In order to
construct mpqc protocols, we consider a subtask which
we call verifiable quantum secret sharing. In classical
cryptography, a verifiable secret sharing scheme [9] is
a two phase protocol with one player designated as the
“dealer”. After the first phase (commitment), the dealer
shares a secret amongst the players. In the second phase
(recovery), the players reconstruct the value publicly.
The natural quantum version of this allows a dealer to
share a state ρ (possibly unknown to him but nonetheless in his possession). Because quantum information
cannot be cloned, we cannot require that the state be
reconstructed publicly; instead, the recovery phase also
has a designated player, the reconstructor R. We require that, despite any malicious actions by ≤ t players:
- Soundness: As long as R is honest and the dealer
passes the commitment phase successfully, then there is
a unique quantum state which can be recovered by R.
- Completeness: When D is honest, then he always
passes the commitment phase. Moreover, when R is
also honest, then the value recovered by R is exactly
D’s input ρ.
- Privacy: When D is honest, no other player learns
info about D’s input until the recovery step.
Note that for quantum data, the privacy condition is
redundant: any information obtained about the shared
state would imply some disturbance of that state, contradicting the completeness requirement.
Contributions. We give a protocol for verifiable quantum secret sharing that tolerates any number t < n/4
of cheaters. We show that this is optimal, by proving
that vqss is impossible when t ≥ n/4. Based on techniques from fault-tolerant quantum computing, we use
our vqss protocol to construct a multi-party quantum
computation protocol tolerating any t < n/6 cheaters.
(Mpqc is similar to standard fault-tolerance but with
a different error model, see Previous Work). Our protocols run in time polynomial in both n, the number of
players, and k, the security parameter. The error of the
protocols is exponentially small in k.
Beyond these specific results, there are a number of
conceptual contributions of this paper to the theory of
quantum cryptographic protocols. We provide a simple,
general framework for defining and proving the security
of distributed quantum protocols in terms of equivalence
to an ideal protocol involving a third party. This follows the definitions for classical multi-party protocols.
The analysis of our protocols leads us to consider various notions of local “neighborhoods” of quantum states,
and more generally of quantum codes. We discuss three
notions of a neighborhood. The notion most often used
for the analysis of quantum error correction and faulttolerance is insufficient for our needs, but we show that
a very natural generalization (specific to so-called “css”
codes) is adequate for our purposes. Along the way, we
provide modified versions of the classical sharing protocols of [8]. The new property our protocols have is
that dealers do not need to remember the randomness
they use when constructing shares to distribute to other
players. This allows them to replace a random choice of
coins with the superposition over all such choices.
1.1
Previous Work
Classical mpc. Multi-party computing was introduced
by Goldreich, Micali and Wigderson [13], who showed
that under computational assumptions, secure multiparty evaluation of any function was possible tolerating any minority of cheating players, i.e. if and only if
t < n2 . If one assumes pairwise secure channels but no
computational assumptions, then one can compute any
function securely if and only if t < n/3 [5, 8]. If one
further assumes the availability of a secure broadcast
channel, then one can in fact tolerate t < n/2, and no
more ([21, 3, 11]). All of these protocols rely on verifiable secret sharing as a basic tool. Our solution draws
most heavily on the techniques of Chaum, Crépeau and
Damgård [8].
Beyond these basic protocols, much work has focused
on finding proper definitions of security, e.g. [14, 4, 18,
20, 6]. We adopt a simple definition based on the initial
definitions of Canetti.
Quantum Secret Sharing. Relatively little work exists on multi-party cryptographic protocols with quantum data. Secret sharing with a quantum secret was
first studied by Cleve et al. [10], who showed an equiv-
alence with quantum error-correcting codes (QECC).
Their scheme is the basis of our protocols. Chau [7]
deals with classical computations, but also mentions the
problem of verifiable quantum secret sharing as an open
question.
Fault-tolerant Quantum Computing. The goal
of ftqc is to tolerate non-malicious faults occurring
within a single computer. One assumes that at every
stage in the computation, every qubit in the circuit has
some known probability p of suffering a random error,
i.e. of becoming completely scrambled. Moreover, errors are assumed to occur independently of each other
and of the data in the computation.
One can view multi-party computation as fault-tolerant computing with a different error model, one that
is suited to distributed computing. The mpqc model
is weaker in some respects since we assume that errors
will always occur in the same, limited number of positions, i.e. errors will only occur in the systems of the
t corrupted players. In other respects, the error model
of mpqc is stronger: in our setting errors may be maliciously coordinated. In particular, they will not be
independently placed, and they may in fact depend on
the data of the computation—the adversaries will use
any partial information known about the other players’
data, as well as information about their own data, to attempt to corrupt the computation. For example, several
ftqc algorithms rely on the fact that at certain points
in the computation, at most one error is likely to occur.
Such algorithms will fail when errors are placed adversarially. Techniques from ftqc are nonetheless useful
for multi-party computing. We will draw most heavily
on techniques due to Aharonov and Ben-Or [2].
1.2
Definitions and Model
In this paper, we use a simple simulation-based framework for proving the security of quantum framework,
similar to early classical definitions. We specify a task
by giving a protocol for implementing it in an ideal
model where players have access to a trusted third party
T T P. We prove a given protocol secure by showing a
simulator which translates any attack in the real-world
protocol into an (almost) equally successful attack in
the ideal model.
We assume that every pair of participants is connected by perfect (i.e. authenticated, unjammable, secret) quantum and classical channels, and that there
is a classical authenticated broadcast channel to which
all players have access. Because we will always consider settings where t < n2 , we can also assume that
players can perform classical multi-party computations
securely [11]1 . The adversary is an arbitrary quantum
algorithm (or family of circuits) A (not necessarily polynomial time), and so the security of our protocols does
not rely on computational assumptions.
The real and ideal models, as well as the notion of
security, are specified more carefully in [22]. In this
paper, we use the following informal specifications of
1
In fact, even the assumption of a broadcast channel is
not strictly necessary, since t < n3 in our setting.
the ideal protocols. The real protocols are secure if they
succeed in simulating the ideal ones.
Multi-party Quantum Computation. All players
hand their inputs to the T T P, who runs the desired
circuit and hands back the outputs. Note that the only
kind of cheating which is possible is that cheaters may
choose their own input. In particular, cheaters cannot
force the protocol to abort.
Verifiable Quantum Secret Sharing. In the sharing
phase, the dealer gives his secret system to the trusted
party. In the reconstruction phase, the T T P sends the
secret system to the reconstructor R. The only catch is
that in the ideal model, honest players should not learn
the identity of R until after the first phase has finished
(otherwise, D could simply send the secret state to R
in the first phase without violating the definition).
1.3
Preliminaries
We present the notation necessary for reading the protocols and proofs in this paper. For a more detailed
explanation of the relevant background, see [22] or a
textbook such as [19].
We will work with p-dimensional quantum systems,
for some prime p > n. Such a system is called a qupit,
and the “computational” basis states are labelled by
elements in F = Zp . We will also be working in the
Fourier basis,P
which is given by the unitary transformation F |ai 7→ b ω ab |bi. A basis for the operators on a
qupit is given by the p2 Pauli operators X a Z b , where
X|ai = |a + 1i , Z|ai = ω a |ai, and ω = exp(2πi/p).
Tensor products of these operators yield the Pauli basis for the set of operators on a register of qupits. The
weight of a tensor product operator is the number of
components in which it is not the identity I.
Quantum Codes. The error-correcting codes used in
this paper are quantum CSS codes. These are defined
⊥
via two classical linear codes V, W ⊆ Zn
⊆
p such that V
(q)
W . If we denote W
= span{|wi : w ∈ W } for a
classical code W , then we can write the CSS code as
C = V (q) ∩ F W (q) . Thus, C is the set of states of n
qubits which yield a codeword of V when measured in
the computational basis and a codeword of W when
measured in the Fourier basis.
Specifically, we will use quantum Reed-Solomon codes
from [2]. We specify a quantum RS code by a single
parameter δ < n/2. The classical Reed-Solomon code
V δ is the set of all vectors q̂ = (q(1), q(2), . . . , q(n)),
where q is any univariate polynomial of degree at most δ.
The related code V0δ is the subset of V δ corresponding
to polynomials which interpolate to 0 at the point 0.
That is: V δ = {q̂ : q ∈ F [x] : deg(q) ≤ δ} and
V0δ = {q̂ : deg(q) ≤ δ and q(0) = 0} ⊆ V δ . The code
V δ has minimum distance d = n − δ, and an efficient
error correction procedure. Let δ 0 = n − δ − 1. There
are constants d1 , ..., dn ∈ Zp such that the dual of the
0
code V δ is just the code V0δ , rescaled by di in the ith
coordinate; similarly, the dual of V0δ is a rescaled version
0
0
0
of V δ . Denote these duals by W0δ , W δ , respectively.
δ
The quantum code C for parameter δ is the css code
0
obtained from codes V = V δ and W = W δ . It encodes
a single qupit, and has minimum distance δ + 1 (thus,
it corrects t = bδ/2c errors). Moreover, errors can be
corrected efficiently, given the syndrome of a corrupted
codeword, i.e. the V syndrome measured in the computational basis and the W syndrome measured in the
Fourier basis.
Transversal Operations. A nice result from faulttolerant computing [2, 15] is that one can in fact perform many operations on data encoded by a quantum
RS code using only local operations and classical information transmitted between the components. Consider
the following gates:
1.
2.
3.
4.
5.
Shift: X c : |ai 7→ |a + ci,
SUM: (c-X) : |a, bi 7→ |a, a + bi,
Scalar multiplication: 0 6= c ∈ F , Sc : |ai 7→ |aci,
Phase Shift: Z c : |ai 7→ wca |ai,
P
Fourier Transform: Fr : |ai 7→ √1p b∈F wrab |bi,
6. Toffoli (Multiplication): |ai|bi|ci 7→ |ai|bi|c + abi.
These gates are universal [2], in the sense that a sequence of these gates can approximate any unitary operation with arbitrary accuracy. Beyond these, in order
to simulate arbitrary quantum circuits one should also
be able to introduce qupits in some known state (say
|0i), as well as to discard qupits. For any css code,
the gates 1 through 4 from the set above can be implemented transversally, that is using only local operations which affect the same component of two codewords. Measurement and the remaining two operations
can be performed almost transversally.
Measurement. For a quantum RS code, measuring
each component of the encoding of |si yields a vector
q̂ = (q(1), ..., q(n)) where q(0) = s. This operation
is not quite transversal since after the qupit-wise measurement, the classical information must be gathered
together in order to extract the measurement result.
Nonetheless, it can tolerate arbitrary corrupton of δ/2 of
the positions in the codeword if classical error correction
is first applied to the vector of measurement results.
Fourier and Toffoli gates. For css codes, applying
the Fourier transform transversally maps data encoded
with the codes V, W to the Fourier transform of that
data, encoded with the dual code C˜ defined via the codes
W, V . For quantum RS codes, rescaling each component
0
of the dual code of C δ produces the code C δ . This allows
one to perform the map EC δ |ψi 7→ EC δ0 (F |ψi), where EC
is the encoding map for a code C.
When n = 2δ + 1, we have δ 0 = δ, so the Fourier
transform is in fact transversal, but the Toffoli gate is
difficult to perform.
When n = 3δ + 1, neither the Fourier transform nor
the Toffoli gate is transversal, but they can both be reduced to degree reduction via transversal operations [2].
Degree reduction maps an arbitrary state |ψi encoded
0
using C δ to |ψi encoded with C δ .
The circuit we use for degree reduction is due to
Gottesman and Bennett [15]. We start with one block
0
encoded usingP
C δ (system H1 ), and an ancilla block in
the state EC δ ( |ai) (system H2 ). Perform a SUM gate
from H2 to H1 (this can be done transversally by a property of the codes C δ ). Measure H1 in the computational
basis, obtaining b, and apply X b S−1 to H2 . The system
H2 now contains the data, encoded using C δ . This entire
procedure can be performed transversally except for the
measurement step. However, as noted above, measurement requires only classical communication between the
components.
entangled with the data in the computation, and so the
errors they introduce will not be independent of that
data. Instead, we show that our verifiable sharing protocol guarantees a condition similar to notion (3) (see
Lemma 3.1). In order to provide some intuition for the
proofs of Section 3, we characterize notion (3) below.
2.
Lemma 2.1.PIf ρ is in CB = VB ∩F ⊗n P
WB , then we
can write ρ = i pi |ψi ihψi |, where |ψi i = j cij Ej |φij i,
the Ej are Pauli operators on B and |φij i ∈ C.
NEIGHBORHOODS OF QUANTUM
CODES
One of the ideas behind classical multi-party computing protocols is to ensure that data is encoded in a
state that remains “close” to a codeword, differing only
on those positions held by cheaters (call that set B).
For classical codes, “close” means that the real word v
should differ from a codeword only on B, so that any errors introduced by cheaters are correctable. For a code
W , let the B-neighborhood WB be the set of vectors
differing from a codeword of W by positions in B, i.e.,
WB = {v : ∃w ∈ W s.t. supp(v − w) ∈ B}. Equivalently, one can define WB as the set of words obtained
by distributing a (correct) codeword to all players, and
then having all players send their shares to some (honest) reconstructor R.
For quantum codes, there is more than one natural
definition of the neighborhood corresponding to a set B
of positions. Let {1, ..., n} be partitioned according to
two sets A, B. We say a mixed state ρ0 is “in” C if all
states in the mixture lie in C, i.e. Tr(PC ρ0 ) = 1 where PC
is the projector onto C. We consider three definitions
of a “B-neighborhood” of a css code C. Let ρ be an
arbitrary state of the coding space.
1. ρ differs from a state in C only by some quantum
superoperator O acting only on B:
NB (C) = {ρ : ∃ρ0 in C, ∃Os.t. ρ = O(ρ0 )}.
2. ρ cannot be distinguished from a state in C by looking
only at positions in A.
STB (C) = {ρ : ∃ρ0 in C s.t. TrB (ρ) = TrB (ρ0 )}.
3. Specifically for css codes, one can require that the
state ρ pass checks on A in both bases, i.e. that
measuring either the VB syndrome in the computational basis, or the WB syndrome in the Fourier basis, yields 0. The set of states which pass this test is:
(q)
(q)
CB = VB ∩ F ⊗n WB .
In general, these notions form a strict hierarchy:
NB (C) ( STB (C) ( CB . Only notion (3) is always a
subspace (see [22] for details).
In the analysis of quantum error correction and faulttolerance schemes, it is sufficient to consider notion (1),
for two reasons. On one hand, one starts from a correctly encoded state. On the other hand, the errors
introduced by the environment will be independent of
the encoded data (and in fact they must be for error
correction to be possible at all in that context).
In our setting, however, we cannot make such assumptions, since the cheaters might possess states which are
Well-Definedness of Decoding for CB . The set CB
is a subspace, since it is defined in terms of measurement
outcomes. More particularly, it is spanned by the states
of NB (C):
(q)
(q)
Proof : To check if ρ is in CB , we measure the VB syndrome in the computational basis and the WB syndrome
in the Fourier basis. However, the distribution on this
outcome measurement will not change if we first measure the V and W syndromes, i.e. if we first make a measurement which projects ρ into one of the subspaces Ej C
(i.e. ρ maps to ρ0 = Pj ρPj with probability Tr (Pj ρ),
where Pj is the projector for the space Ej C).
The new state ρ0 lies completely in one of the spaces
Ej C. However, Ej C is either contained in CB (if there is
an operator equivalent to Ej which acts only on B) or
orthogonal to CB (if no such operator exists).
Thus Tr (Pj ρ) = 0 for all Ej which act on more than
B. Hence ρ is a mixture of states |ψi i each of which is
a linear combination of elements of the spaces {Ej C},
where Ej acts only on B. 2
This has a useful corollary, namely that decoding is
well-defined for states in CB . Formally, there are two
natural “reconstruction operators” for extracting the secret out of a state which has been shared among several
players. Suppose that C has distance d > 2t + 1 and
|B| ≤ t. First, D is the decoding operator for the errorcorrecting code C, which would be applied by an honest
player holding all of the shares. For any operator Ej of
weight less than t and for any state E|φi in C, we have
DEj E|φi = |φi ⊗ |ji (i.e. the error is not only corrected
but also identified). It will then discard the system containing the syndrome information |ji. Second, RI is the
“ideal recovery operator”, defined by identifying the set
B of cheaters and applying the simple interpolation circuit to any set of n − 2t good players’ positions (this
corresponds to erasure recovery).
Proposition 2.2. For any state ρ in CB , the state
RI (ρ) is well-defined and is equal to D(ρ).
Our protocols guarantee conditions similar to CB , and
well-definedness is essential for proving simulatability.
Proof : Consider a particular basis state Ej E|ai. The
decoding operator D will produce the state |ai|ji, since
errors of weight at most t can be identified uniquely.
The ideal operator RI will extract the encoded state |ai.
Without loss of generality, the ideal recovery operator
will replace |ai with |0i, the final output |ai ⊗ Ej E|0i.
In both cases, the output can be written as |ai tensored with some ancilla whose state depends only on the
syndrome j (and which identifies j uniquely). Once that
state is traced out, the outputs of both operators will be
identical. Another way to see this is that the ideal operator can simulate the real operator: one can go from
the output of the ideal operator to that of the real operator by applying a transformation which only affects
the ancilla. For a state ρ expressed
as in Lemma 2.1,
P
the final outcome will be ρ0 = ij pi |cij |2 |φij ihφij |. 2
3.
A TWO LEVEL VQSS PROTOCOL
In this section we define a two-tiered protocol for
vqss. It is based on the vqss protocols of [8] as well
as on the literature on quantum fault-tolerance and error correction, most notably on [2]. Detailed proofs for
the claims of this section are in [22]. However, some
intuition is given by the proofs of Section 2.
3.1
Sharing Shares: 2-GOOD Trees
In the vss protocol of [8], the dealer D takes his secret,
splits it into n shares and gives the ith component to
player i. Player i then shares this secret by splitting
it into n shares and giving the j th share to player j.
Thus, there are n2 total shares, which can be thought
of as the leaves of a tree with depth 2 and fan-out n:
each leaf is a share; the ith branch corresponds to the
shares created by player i, and the root corresponds to
the initial shares created by the dealer. Player j holds
the j th leaf in each branch of this tree. We will run
a cut-and-choose protocol in order to guarantee some
kind of consistency of the distributed shares.
During the protocol we accumulate n+1 sets of apparent cheaters: one set B for the dealer (this corresponds
to a set of branches emanating from the root), and one
set Bi for each player i (this corresponds to a subset of
the leaves in branch i). These sets all have size at most
t. At the end of the protocol, we want to guarantee certain invariants. Say V has minimum distance > 2t, and
each codeword corresponds to a single value a ∈ Zp .
Definition 1 (2-good trees). We say a tree of
n2 field elements is 2-good with respect to the code V
and the sets B, B1 , ..., Bn if:
1. For each i 6∈ C (i.e., corresponding to an honest
player), we have Bi ⊆ C, i.e. all apparent cheaters
are real cheaters.
2. For each branch i 6∈ B, the shares held by the honest
players not in Bi should all be consistent with some
codeword in V , i.e. the vector of all shares should be
in VBi ∪C , where C is the set of cheating players.
N.B.: Because there are at most t players in Bi and
at most t cheaters, there are at least d + 1 ≤ n −
2t honest players remaining, and so the polynomial
above is uniquely defined. This guarantees that for
each branch i 6∈ B, there is a unique value ai ∈ F
which is obtained by interpolating the shares of the
honest players not in Bi .
3. For i 6∈ B, the values ai defined by the previous property are all consistent with a codeword of V (i.e. the
vector (a1 , ..., an ) is in VB ).
We will abbreviate this as 2-goodV , when the sets B,
B1 ,...,Bn are clear from the context.
3.2
VQSS Protocol
The Vqss protocol is described in Protocols 1 and 2.
Intuitively, it guarantees that a tree of quantum shares
would yield a 2-good tree of classical values if measured
in either the computational basis or the Fourier basis.
0
0
We use the codes V = V δ = V δ and W = W δ = W δ ,
with n = 4t + 1, δ = δ 0 = 2t, although there is in fact
no need to do this: the protocol will work for any css
code with distance at least 2t + 1, so long as the codes
V, W are efficiently decodable.
The protocol can be tweaked for efficiency. The final
protocol takes three rounds. Each player sends and reand the broadcast channel
ceives O(n + log 1 ) qubits,
is used O n(n + log 1 ) times overall, where is the
soundness error of the protocol (this requires setting
k = n + log( 1 )).
Why is this a secure vqss protocol? We want to show
that the protocol is equivalent to the “ideal model”,
where at sharing time the dealer sends his secret system
S to a trusted outside party, and at reveal time the
trusted party sends S to the designated receiver. To do
that, we will use two main technical claims.
Soundness. We must show that at the end of the
protocol, if the dealer passes all tests then there is an
well-defined “shared state” which will be recovered by
the dealer. To do so, we guarantee a property similar
to CC (notion (3) of Section 2).
Lemma 3.1. The system has high fidelity to the following statement: “Either the dealer is caught (|B| >
t) or measuring all shares in the computational (resp.
Fourier) basis would yield a 2-good tree with respect to
the code V (resp. W ).”
Proof of this is via a “quantum-to-classical” reduction, similar to that of [17]. First, checks in the computational and Fourier bases don’t interfere with each
other, since they commute for CSS codes. Second, in
a given basis, we can assume w.l.o.g. that all ancillae
are first measured in that basis, reducing to a classical
analysis similar to [8].
Ideal Reconstruction. In order to prove soundness
carefully, we define an ideal interpolation circuit RI for
2-good trees: pick the first n − 2t honest players not in
B, say i1 , ..., in−2t . For each ij , pick n − 2t honest players not in Bij and apply the normal interpolation circuit
(i.e. erasure-recovery circuit) for the code to their shares
to get some qupit Rij . Applying the interpolation circuit again, we extract some system S which we take to
be the output of the ideal interpolation.
The real recovery operator D is given by Protocol 2.
The following lemma then applies, following essentially
from Proposition 2.2.
Lemma 3.2. Given a tree of qupits which is 2-good
in both bases, the outputs of RI and D are the same. In
particular, this means that no changes made by cheaters
to their shares can affect the outcome of D.
Lemmas 3.1 and 3.2 show that there is essentially a
unique state which will be recovered in the reconstruction phase when the receiver R is honest.
Protocol 1
(vqss—Sharing Phase). Dealer D gets as input a quantum system S to share.
• Sharing:
1. The dealer D prepares (k + 1)2 systems of n qupits each, called S`,m (for ` = 0, ..., k and m = 0, ..., k):
(a) Encodes S using C in S0,0 .
P
P
(b) Prepares k systems S0,1 , ..., S0,k in the state a∈F EC |ai = v∈V |vi.
P
(c) Prepares k(k + 1) systems S`,m , for ` = 1, ..., k and m = 0, ..., k, each in the state |0̄i = v∈V0 |vi.
(i)
(d) For each of the (k + 1)2 systems S`,m , D sends the ith component (denoted S`,m ) to player i.
2. Each player i, for each `, m = 0, ...k:
(i)
(a) Encodes the received system S`,m using C into an n qupit system S`,m,i .
(j)
(b) Sends the j th component S`,m,i to player j.
• Verification:
1. Get public random values b1 , ..., bk ∈R F . For each ` = 0, ..., k, m = 1, ..., k, each player j:
(a) Applies the SUM gate (c-X bm ) to his shares of the systems S`,0,i and S`,m,i .
(b) Measures his share of S`,m,i and broadcasts the result (i.e. each player broadcasts k(k + 1)n values).
(c) For each i ∈ {1, ..., n}, players update the set Bi based on the broadcast values: there are (k + 1)kn
broadcast words w`,m,i . Applying classical decoding to each of these yields min-weight error vectors
e`,m,i with supports B`,m,i . Set Bi = ∪`,m B`,m,i . If there are too many errors, add i to the global set B.
(d) Furthermore, players do the same at the root level: for all i 6∈ B, there is an interpolated value ai which
corresponds to the decoded codeword from the previous step. Players also decode the codeword (a1 , ..., an )
and update B accordingly (i.e. by adding any positions where errors occur to B).
2. All players apply the Fourier transform F to their shares.
3. Get public random values b01 , ..., b0k ∈R F . For ` = 1, ..., k, each player j:
0
(a) Applies the SUM gate (c-X b` ) to his shares of the systems S0,0,i and S`,0,i .
(b) Measures his share of S`,0,i and broadcasts the result (i.e. each player broadcasts kn values).
(c) For each i ∈ {1, ..., n}, players update Bi and B based on the broadcast values (as in Step 1c).
[Note: the sets B and B1 , ..., Bn are cumulative throughout the protocol.]
4. All players apply the inverse transform F −1 to their shares of S0,0 .
• The remaining shares (i.e. the components of the n systems S0,0,i ) form the sharing of the state ρ.
Protocol 2 (vqss—Reconstruction Phase). Player j sends his share of each of the systems S0,0,i to the
receiver R, who runs the following decoding algorithm:
1. For each branch i: Determine if there is a set B̃i such that Bi ⊆ B̃i , |B̃i | ≤ t and the shares of S0,0,i lie in CB̃i .
If not, add i to B. Otherwise, correct errors on B̃i and decode to obtain a system Si0 .
2. Apply interpolation to any set of n − 2t points not in B. Output the result S 0 .
Completeness. As discussed earlier, the protocol is
considered complete if when the dealer is honest, the
state that is recovered by an honest reconstructor is exactly the dealer’s input state. The key property is that
when the dealer D is honest, the effect of the verification
phase on the shares which never pass through cheaters’
hands is the identity.
Consider the case where the dealer’s input is a pure
state |ψi. On one hand, we can see by inspection that an
honest dealer will always pass the protocol. Moreover,
since the shares that only go through honest players’
hands remain unchanged, it must be that if some state
is reconstructed, then that state is |ψi, since the ideal
reconstruction operator uses only those shares. Finally,
we know that since the dealer passed the protocol the
overall tree must be 2-good in both bases, and so some
value will be reconstructed. Thus, on input |ψi, an hon-
est reconstructor will reconstruct |ψi. We have proved:
Lemma 3.3. If D and R are honest, and the dealer’s
input is a pure state |ψi, then R will reconstruct a state
ρ with fidelity 1 − 2−Ω(k) to the state |ψi.
Not surprisingly, this lemma also guarantees the privacy of the dealer’s input. By a strong form of the no
cloning theorem, any information the cheaters could obtain would cause some disturbance, at least for a subset
of the inputs. Thus, the protocol is in fact also private.
Simulatability. The claims above show that the protocol satisfies an intuitive notion of security. In this
section we sketch a proof that the protocol satisfies a
more formal notion of security: it is equivalent to a
simple ideal model protocol. The equivalence is statistical, that is the outputs of the real and ideal protocols
may not be identical but will have very high fidelity to
one another.
Theorem 3.4. Protocols 1 and 2 are a statistically
secure vqss scheme.
The ideal protocol is sketched in Section 1.2. To show
equivalence, we will give a transformation that takes an
adversary A1 for our protocol and turns it into an adversary A2 for the ideal protocol. To give the transformation, we exhibit a simulator S which acts as an
intermediary between A1 and the ideal protocol, making A1 believe that it is experiencing the real protocol.
The idea is that the simulator will simulate the regular vqss protocol either on input provided by a cheating
dealer or on bogus data |0i, and then extract and/or
change the shared state as needed.
We give a sketch of the simulation procedure in Algorithm 1. Why does this simulation work?
1. When D is cheating:
(a) When R is cheating, the simulation is trivially
faithful, since there is no difference between the
simulation and the real protocol: S runs the normal sharing protocol, then runs the interpolation
circuit, sending the result to T T P. In the reconstruction phase, S gets the same state back from
T T P, and runs the interpolation circuit in reverse.
Thus, the two executions of the interpolation circuit cancel out.
(b) When R is honest, the faithfulness of the simulation comes from Lemma 3.2: in the real protocol,
R outputs the result of the regular decoding operator. In the simulation, R gets the output of the
ideal interpolation. Since the shared state has high
fidelity to a 2-good tree (by Lemma 3.1), the outputs will be essentially identical in both settings
(i.e. they will have high fidelity).
2. When D is honest:
(a) When R is also honest, the faithfulness of the simulation follows from the completeness and privacy
properties of the real protocol. Privacy implies
that the adversary A1 cannot tell that it is actually participating in a sharing of |0i rather than
the dealer’s state, and completeness means that R
in the real protocol gets a state with high fidelity
to that received by R in the ideal protocol.
(b) When R is a cheater, S does not get S from T T P
until the reconstruction phase. Then he applies the
ideal interpolation circuit to extract the |0i state
used during the verification phase, swaps S with
|0i, then runs the ideal interpolation circuit backwards. Since the ideal interpolation circuit only
acts on shares of the honest players, S is capable
of performing these operations without tipping off
A1 to the fact that it is in a simulation. By the
completeness property of the real protocol and the
no-cloning theorem, the residual state left over after the ideal interpolation circuit (i.e., the state
of the cheaters) has almost no correlation to the
data shared using the circuit, so swapping in S
and running the circuit backwards gives us a state
with high fidelity to the state that would have resulted from sharing S directly with the same A1 .
Thus, the simulation is faithful in this case as well.
We have essentially proved Theorem 3.4.
3.3
Additional Properties
Two-level sharings produced by the same dealer (using the protocol above) have some additional properties,
which will be useful for multi-party computation. First
of all, notice that there is no problem in tracking the sets
B, B1 , ..., Bn incrementally across various invocations of
the protocol for the same dealer, and so we assume below that these sets are the same for different sharings
from the same dealer.
1. Some operations can be applied transversally to valid
sharings. Applying the linear operation (x, y) 7→
(x, y + bx) (denoted c-X b ) to all shares of two sharings effectively applies c-X b to the shared states.
Similarly, applying the Fourier rotation transversally
changes the sharing to the dual code and applies a
logical Fourier rotation. Finally, measuring all shares
of a valid sharing in the computational basis and applying classical decoding yields the same result as
measuring the shared state. Thus, players can measure without exchanging quantum information.
2. The dealer can additionally use the protocol to prove
to all players that the system he is sharing is exactly
the state |0i: the ancillas he P
uses in this case will all
be sharings of |0i (instead of
|ai). The verification
step is the same as before, except now players verify
that the reconstructed codeword at the top level interpolates to 0. Similarly,
P the dealer can prove that
he is sharing a state a |ai. This will be useful for
sharing ancillas in the mpqc protocol.
4.
LOWER BOUND FOR VQSS
Lemma 4.1. No 4-player vqss scheme tolerates one
cheater.
Proof : Suppose such a scheme exists. Consider a run
of the protocol in which all players behave perfectly
honestly until the end of the sharing phase, at which
point one (unknown) player introduces an arbitrary error. However, an honest “receiver” Ruth, given access to
the state of all players, must still be able to recover the
shared state. Thus, the joint state of all players constitutes a four-component qecc correcting one error.
However, no such code exists, not even a mixed-state
one, by the quantum Singleton bound [16]. 2
The optimality of our vqss scheme is an immediate corollary, since any protocol tolerating n/4 cheaters
could be used to construct a four-person protocol tolerating one cheater by having each participant simulate
n/4 players in the original protocol:
Theorem 4.2. No vqss scheme for n players exists
which tolerates all coalitions of dn/4e cheaters.
Note that we have only proved the impossibility of
perfect vqss protocols. However, the quantum Singleton bound still holds when exact equality is replaced by
Algorithm 1. Simulation for vqss (Protocol 1)
• Sharing/Verification phase
– If D is a cheater, S must extract some system to send to T T P:
1. Run Sharing and Verification phases of Protocol 1, simulating honest players. If D is caught cheating,
send “I am cheating” from D to T T P.
2. Choose n − 2t honest players not in B and apply ideal interpolation circuit to extract a system S.
3. Send S to T T P.
– If D is honest, S does not need to send anything to T T P, but must still simulate the sharing protocol.
1. Simulate an execution of the Sharing and Verification phases of Protocol 1, using |0i as the input for
the simulated dealer D0 .
2. Choose n − 2t honest players (they will automatically not be in B since they are honest) and apply the
ideal interpolation circuit to extract the state |0i.
3. The honest D will send a system S to T T P.
Note: Regardless of whether D is honest or not, at the end of the sharing phase of the simulation, the
joint state of the players’ shares is a tree that is (essentially) 2-good in both bases, and to which the ideal
interpolation operator has been applied. Let I be the set of n − 2t honest players (not in B or C) who were
used for interpolation.
• Reconstruction phase
– If R is a cheater, S receives the system S from T T P. S runs the interpolation circuit backwards on the
positions in I, with S in the position of the secret. S sends the resulting shares to R.
– If R is honest, the cheaters send their corrupted shares to S. These are discarded by S.
In both cases, S outputs the final state of A1 as the adversary’s final state.
approximate correctness, and so in fact even statistical
vqss schemes are impossible when t ≥ n/4.
5.
MULTI-PARTY COMPUTATION
In this section we show how to use the vqss protocol
of the previous section to construct a multi-party quantum computing scheme. First, we give a modified vqss
protocol. At the end of the protocol, all players hold a
single qupit. With high fidelity, either the dealer will be
caught cheating or the shares of all honest players will
be consistent in both the computational and Fourier
bases, i.e. there is no set B of “apparent cheaters”. We
then apply fault-tolerant techniques to achieve secure
distributed computation.
5.1
Top-Level Sharing Protocol
We will now restrict attention to protocols tolerating
t < n/6 cheaters, instead of t < n/4 cheaters as before.
Thus, we take n = 6t + 1 for simplicity, and as before
we set δ = 2t (thus δ 0 = 4t). We will work with the
0
css code C given by V = V δ and W = W δ . Recall
that this is the css code for which there exist nearlytransversal fault-tolerant procedures (Section 1.3). Our
goal is to share a state so that at the end all shares of
(q)
(q)
honest players lie in CC = VC ∩ F ⊗n WC .
The new scheme is given in Protocol 3. The idea is
that the previous vqss scheme allows distributed computation of linear gates and Fourier transforms on states
shared by the same dealer. It also allows verifying that
P
a given shared state is either |0i or
|ai. The players will use this to perform a distributed computation
of the encoding gate for the code C. Thus, the dealer
P
will share the secret system S, as well as δ states
|ai
and n − δ − 1 states |0i. Players then apply the (linear)
encoding gate, and each player gets sent all shares of his
component of the output. As before, the main lemmas
are soundness and completeness of the protocol:
Lemma 5.1 (Soundness). At the end of the sharing phase, the system has high fidelity to “either the
dealer is caught or the players’ shares S1 ...Sn lie in CC ”.
Lemma 5.2 (Completeness). When D is honest,
on pure state input |ψi, the shared state will have high
fidelity to span {E|ψi}C (i.e. will differ from E|ψi only
on the cheaters’ shares).
Note the dealer can also prove that he has shared a
|0i state (by showing that his input is |0i).
5.2
Distributed Computation
Given the protocol of the previous section, and known
fault-tolerant techniques, there is a natural protocol for
secure multi-party computation of a circuit: have all
players distribute their inputs via the top-level sharing
(Protocol 3); apply the gates of U one-by-one, using
the (essentially) transversal implementation of the gates
described in Section 1.3; then have all players send their
share of each output to the appropriate receiver. See
Protocol 4.
Protocol 3
(Top-Level Sharing). Dealer D takes as input a qupit S to share.
• 1. (Distribution) The dealer D:
(a) Runs the level 2 vqss protocol on input S.
P
(b) For i = 1, ..., δ: Runs level 2 sharing protocol to share state a |ai (see Remark 2 in Section 3.3)
(c) For i = 1, ..., n − δ − 1: Runs level 2 sharing protocol to share state |0i (see Remark 2 in Section
P 3.3)
Denote the n shared systems by S1 , ..., Sn (i.e. S1 corresponds to S, S2 , ..., Sδ+1 correspond to a |ai and
Sδ+2 , ..., Sn correspond to |0i). Note that each Si is a two-level tree, and thus corresponds to n components
in the hands of each player.
2. (Computation) Collectively, the players apply the Vandermonde matrix to their shares of S1 , ..., Sn . (If
D is honest then system Si encodes the i-th component of an encoding of the input S).
3. For each i, all players send their shares of Si to player i, who decodes them (as per Protocol 2).
• Quantum Reconstruction Input to each player i is the share Si and the identity of the receiver R.
1. Each player i sends his share Si to R.
2. R outputs D(S1 , ..., Sn ) and discards any ancillas (D is the decoding algorithm for C).
Protocol 4 (Multi-party Quantum Computation).
1. Input Phase:
(a) For each i, player i runs Top-Level Sharing with input Si .
(b) If i is caught cheating, then some player who has not been caught cheating yet runs Top-Level Sharing (Protocol 3), except this time with the one-dimensional code span{EC |0i} (i.e. he proves that the state he is sharing
is |0i). If the sharing protocol fails, then another player who has not been caught cheating runs the protocol.
There will be at most t iterations since an honest player will always succeed.
(c) For each ancilla state |0i needed for the circuit, some player who has not been caught
cheating
yet runs Top
Level Sharing (Protocol 3), with the one-dimensional code span{EC δ |0i} or span EC δ0 |0i , as needed. If the
protocol fails, another player performs the sharing, and so forth.
2. Computation Phase: For each gate g in the circuit, players apply the appropriate fault-tolerant circuit, as
described in Section 1.3. Only the measurement used in Degree Reduction is not transversal. To measure the
ancilla:
(a) Each player measures his component and broadcasts the result in the computational basis.
0
(b) Let w be the received word. Players decode w (based on the scaled Reed-Solomon code W δ ), and obtain the
measurement result b.
3. Output Phase: For the ith output wire:
(a) All players send their share of the output wire to player i.
(b) Player i applies the decoding operator for C and outputs the result. If decoding fails (this will occur only with
exponentially small probability), player i outputs |0i.
The only sticking point in the analysis is that the
fault-tolerant procedures require some interaction when
measuring a shared state. All players measure their
share and broadcast the result, applying classical decoding to the resulting word. If the errors occurring in
the measured ancilla were somehow correlated or entangled with errors in the real data, one could imagine that
measuring and broadcasting them might introduce further entanglement. However, this will not be a problem:
on one hand, any errors will occur only in the cheaters’
shares, and so provide nothing beyond what the cheaters
could learn themselves; on the other hand, the honest
players will discard all the information from the broadcast except the decoded measurement result (each honest player performs the decoding locally based on the
broadcast values, so all honest players obtain the same
result). Again, the cheaters can do this themselves.
Lemma 5.3. Suppose that all inputs and ancillas are
shared at the beginning via states in CC . Then the result
of applying the protocol for a given circuit U , and then
sending all states to an honest decoder R is the same
as sending all states to R and having R apply U to the
reconstructed states.
Theorem 5.4. For any circuit U , Protocol 4 is a statistically secure implementation of multi-party quantum
computation as long as t < n/6.
Proof : The proof of this is by simulation, as before.
The key observation is that when the simulator S is
controlling the honest players, the adversary cannot tell
the difference between the regular protocol and the following ideal-model simulation:
1. S runs the input phase as in the protocol, using |0i
as the inputs for honest players. In this phase, if any
dealer is caught cheating, S sends “I am cheating”
to the T T P on behalf of that player.
2. S “swaps” the cheaters’ inputs with bogus data |0i,
and sends the data to the T T P. That is, he applies
the interpolation circuit to honest players’ shares to
get the various input systems Si (for i ∈ C), and
then runs the interpolation circuit backwards, with
the state |0i replacing the original data.
3. S now runs the computation protocol with the adversary on the bogus data. (Because no information
is revealed on the data, the adversary cannot tell this
from the real protocol.)
4. S receives the true computation results destined to
cheating players from T T P.
5. S “swaps” these back into the appropriate sharings,
and sends all shares of the ith wire to player i (again,
he does this only for i ∈ C).
The proof that this simulation succeeds follows from
the security of the top-level sharing protocol and the
previous discussion on fault-tolerant procedures. 2
[8]
[9]
[10]
[11]
[12]
6.
OPEN QUESTIONS
Given our results, the most obvious open question
is if mpqc is possible when n/6 ≤ t < n/4. Another
natural direction of research is to find a vqss protocol
with zero error. For example, the techniques of [5] for
the classical case do not seem to apply to the quantum
setting. Finally, one can ask what tasks are achievable
when we allow cheating players to force the abortion of
the protocol (usually called an “optimistic protocol”).
[13]
[14]
Acknowledgements
Thanks to Richard Cleve for helpful discussions. A.S.
thanks Madhu Sudan for patience, support and advice.
7.
REFERENCES
[1] Proc. of 20th STOC, Chicago, Illinois, 2–4 May
1988.
[2] D. Aharonov and M. Ben-Or. Fault tolerant
quantum computation with constant error rate.
quant-ph/9906129. Preliminary version in STOC
’97. Submitted to SIAM J. Comp., June 1999.
[3] D. Beaver. Multiparty protocols tolerating half
faulty processors. In G. Brassard, editor, Proc. of
CRYPTO ’89, volume 435 of LNCS, pages
560–572. IACR, Springer-Verlag, 1990,
20–24 Aug. 1989.
[4] D. Beaver. Foundations of secure interactive
computing. In Feigenbaum [12], pages 377–391.
[5] M. Ben-Or, S. Goldwasser, and A. Wigderson.
Completeness theorems for non-cryptographic
fault-tolerant distributed computation (extended
abstract). In ACM [1], pages 1–10.
[6] R. Canetti. Universally composable security: A
new paradigm for cryptographic protocols. In
Proc. of FOCS 2001, pages 136–147, 2001.
[7] H. F. Chau. Quantum-classical complexity-
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
security tradeoff in secure multiparty
computations. Physical Review A, 61, March 2000.
D. Chaum, C. Crépeau, and I. Damgård.
Multiparty unconditionally secure protocols
(extended abstract). In ACM [1], pages 11–19.
B. Chor, S. Goldwasser, S. Micali, and
B. Awerbuch. Verifiable secret sharing and
achieving simultaneity in the presence of faults
(extended abstract). In Proc. of 26th FOCS, pages
383–395, Portland, Oregon, 21–23 Oct. 1985. ieee.
R. Cleve, D. Gottesman, and H.-K. Lo. How to
share a quantum secret. Physical Review Letters,
83:648–651, 1999.
R. Cramer, I. Damgård, S. Dziembowski, M. Hirt,
and T. Rabin. Efficient multiparty computations
with dishonest minority. In J. Stern, editor, Proc.
of EUROCRYPT 99, volume 1592 of LNCS.
IACR, Springer-Verlag, 1999.
J. Feigenbaum, editor. Proc. of CRYPTO ’91,
volume 576 of LNCS. IACR, Springer-Verlag,
1992, 11–15 Aug. 1991.
O. Goldreich, S. Micali, and A. Wigderson. How
to play any mental game or a completeness
theorem for protocols with honest majority. In
Proc. of 19th STOC, pages 218–229, New York
City, 25–27 May 1987.
S. Goldwasser and L. A. Levin. Fair computation
of general functions in presence of immoral
majority. In A. J. Menezes and S. A. Vanstone,
editors, Proc. of CRYPTO ’90, volume 537 of
LNCS, pages 77–93. IACR, Springer-Verlag, 1991.
D. Gottesman and C. H. Bennett. Unpublished
work. 1998.
E. Knill and R. Laflamme. A theory of quantum
error-correcting codes. Physical Review A,
55:900–911, 1997. quant-ph/9604034.
H.-K. Lo and H. F. Chau. Unconditional security
of quantum key distribution over arbitrary long
distances. Science, 283(5410):2050–2056,
26 March 1999.
S. Micali and P. Rogaway. Secure computation
(abstract). In Feigenbaum [12], pages 392–404.
M. Nielsen and I. Chuang. Quantum Computation
and Quantum Information. Cambridge University
Press, 2000.
B. Pfitzmann and M. Waidner. Composition and
integrity preservation of secure reactive systems.
In Proc. of Computer and Communications
Security, pages 245–254, 2000.
T. Rabin and M. Ben-Or. Verifiable secret sharing
and multiparty protocols with honest majority
(extended abstract). In Proc. of 21st STOC, pages
73–85, Seattle, Washington, 15–17 May 1989.
A. Smith. Multi-party quantum computation.
Master’s thesis, MIT, Aug. 2001. Available as
quant-ph/0111030.